kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-07-06 16:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added ldap support

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-07-04 21:49:31 +02:00
parent 06b864ad52
commit 1858c1970f
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
7 changed files with 133 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
roles/docker-friendica/meta/main.yml
View File

@ -21,3 +21,4 @@ galaxy_info:
run_after: run_after:
- docker-matomo - docker-matomo
- docker-keycloak - docker-keycloak
- docker-ldap

45
roles/docker-friendica/tasks/main.yml
View File

@ -3,6 +3,17 @@
include_role: include_role:
name: docker-central-database name: docker-central-database
- name: "create {{ friendica_host_ldap_config }}"
template:
src: "ldapauth.config.php.j2"
dest: "{{ friendica_host_ldap_config }}"
mode: '644'
owner: root
group: 33
force: yes
notify: docker compose up
when: applications | is_feature_enabled('ldap',application_id)
- name: "include role nginx-domain-setup for {{application_id}}" - name: "include role nginx-domain-setup for {{application_id}}"
include_role: include_role:
name: nginx-domain-setup name: nginx-domain-setup
@ -11,3 +22,37 @@
http_port: "{{ ports.localhost.http[application_id] }}" http_port: "{{ ports.localhost.http[application_id] }}"
- include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/create-files.yml" - include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/create-files.yml"
- name: Build friendica_addons based on features
set_fact:
friendica_addons: >-
{{
friendica_addons | default([])
+ [{
'name': item.key,
'enabled': (
applications[application_id].features.oidc
if item.key == 'keycloakpassword'
else applications[application_id].features.ldap
if item.key == 'ldapauth'
else (item.value.enabled if item.value is mapping and 'enabled' in item.value else False)
)
}]
}}
loop: "{{ applications[application_id].addons | dict2items }}"
loop_control:
label: "{{ item.key }}"
- name: Ensure Friendica addons are in sync
command: >
docker compose exec --user www-data
application
bin/console addon
{{ 'enable' if item.enabled else 'disable' }}
{{ item.name }}
args:
chdir: "{{ docker_compose.directories.instance }}"
loop: "{{ friendica_addons }}"
loop_control:
label: "{{ item.name }}"

5
roles/docker-friendica/templates/docker-compose.yml.j2
View File

@ -6,8 +6,9 @@ services:
image: "{{ applications[application_id].images.friendica }}" image: "{{ applications[application_id].images.friendica }}"
{% include 'roles/docker-compose/templates/services/base.yml.j2' %} {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
volumes: volumes:
- html:/var/www/html - html:{{ friendica_application_base }}
- data:/var/www/data - data:/var/www/data # I assume that this one is unnessecarry
- {{ friendica_host_ldap_config }}:{{ friendica_docker_ldap_config }}:ro
ports: ports:
- "127.0.0.1:{{ports.localhost.http[application_id]}}:80" - "127.0.0.1:{{ports.localhost.http[application_id]}}:80"

6
roles/docker-friendica/templates/env.j2
View File

@ -3,11 +3,11 @@
FRIENDICA_URL=https://{{domains | get_domain(application_id)}} FRIENDICA_URL=https://{{domains | get_domain(application_id)}}
HOSTNAME={{domains | get_domain(application_id)}} HOSTNAME={{domains | get_domain(application_id)}}
FRIENDICA_NO_VALIDATION={{no_validation | lower}} FRIENDICA_NO_VALIDATION={{friendica_no_validation | lower}}
# Debugging # Debugging
FRIENDICA_DEBUGGING= {% if enable_debug | bool %}true{% else %}false{% endif %} FRIENDICA_DEBUGGING={% if enable_debug | bool %}true{% else %}false{% endif %}{{"\n"}}
FRIENDICA_LOGLEVEL= 5 FRIENDICA_LOGLEVEL={% if enable_debug | bool %}9{% else %}5{% endif %}{{"\n"}}
FRIENDICA_LOGGER=syslog FRIENDICA_LOGGER=syslog
# Database Configuration # Database Configuration

51
roles/docker-friendica/templates/ldapauth.config.php.j2 Normal file
View File

@ -0,0 +1,51 @@
<?php
// Source: https://git.friendi.ca/friendica/friendica-addons/src/branch/develop/ldapauth
// Warning: Don't change this file! It only holds the default config values for this addon.
// Instead, copy this file to config/ldapauth.config.php in your Friendica directory and set the correct values there
return [
'ldapauth' => [
// ldap_server (String)
// ldap hostname server - required
// Example: ldap_server = host.example.com
'ldap_server' => '{{ ldap.server.uri }}',
// ldap_binddn (String)
// admin dn - optional - only if ldap server dont have anonymous access
// Example: ldap_binddn = cn=admin,dc=example,dc=com
'ldap_binddn' => '{{ ldap.dn.administrator.data }}',
// ldap_bindpw (String)
// admin password - optional - only if ldap server dont have anonymous access
'ldap_bindpw' => '{{ ldap.bind_credential }}',
// ldap_searchdn (String)
// dn to search users - required
// Example: ldap_searchdn = ou=users,dc=example,dc=com
'ldap_searchdn' => '{{ ldap.dn.ou.users }}',
// ldap_userattr (String)
// attribute to find username - required
// Example: ldap_userattr = uid
'ldap_userattr' => '{{ ldap.user.attributes.id }}',
// ldap_group (String)
// DN of the group whose member can auth on Friendica - optional
'ldap_group' =>'',
// ldap_autocreateaccount (Boolean)
// To create Friendica account if user exists in ldap
// Requires an email and a simple (beautiful) nickname on user ldap object
// active account creation - optional - default true
'ldap_autocreateaccount' => true,
// ldap_autocreateaccount_emailattribute (String)
// attribute to get email - optional - default : 'mail'
'ldap_autocreateaccount_emailattribute' => '{{ ldap.user.attributes.mail }}',
// ldap_autocreateaccount_nameattribute (String)
// attribute to get nickname - optional - default : 'givenName'
'ldap_autocreateaccount_nameattribute' => '{{ ldap.user.attributes.firstname }}',
],
];

23
roles/docker-friendica/vars/configuration.yml
View File

@ -2,10 +2,27 @@ images:
friendica: "friendica:latest" friendica: "friendica:latest"
features: features:
matomo: true matomo: true
css: true css: false # Temporary deactivated
portfolio_iframe: true portfolio_iframe: true
oidc: true oidc: false # Implementation doesn't work yet
central_database: true central_database: true
ldap: true
oauth2: false # No special login side which could be protected, use 2FA of Friendica instead
domains: domains:
aliases: canonical:
- "social.{{ primary_domain }}" - "social.{{ primary_domain }}"
csp:
flags:
script-src-elem:
unsafe-inline: true
script-src:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
oauth2_proxy:
application: "application"
port: "80"
addons:
keycloakpassword:
ldapauth:

7
roles/docker-friendica/vars/main.yml
View File

@ -1,3 +1,8 @@
application_id: "friendica" application_id: "friendica"
database_type: "mariadb" database_type: "mariadb"
no_validation: "{{ applications[application_id].features.oidc }}" # Email validation is not neccessary if OIDC is active
friendica_no_validation: "{{ applications[application_id].features.oidc }}" # Email validation is not neccessary if OIDC is active
friendica_application_base: "/var/www/html"
friendica_docker_ldap_config: "{{friendica_application_base}}/config/ldapauth.config.php"
friendica_host_ldap_config: "{{ docker_compose.directories.volumes }}ldapauth.config.php"